Lessons from cyber-breach responses

May 2018

Audit committee chairs and cybersecurity experts alike believe that for most companies cybersecurity breaches are inevitable. “Everyone knows they might get hacked; all are preparing for some type of event. The attitude has shifted from prevention to protection,” one audit chair said. Cyber breaches typically carry a high financial cost for companies. In 2017, the average cost of a data breach was $3.62 million. The cybersecurity industry is now a multibillion-dollar business—with experts estimating that nearly $655 billion will be spent on cybersecurity initiatives between 2015 and 2020—and cybercrime could cost businesses worldwide more than $6 trillion annually by 2021. Given the high risk of cyberattacks and the potentially severe consequences, boards and audit committees are focused on ensuring that their companies are ready to respond to a cyber event when it happens.

On April 16, 2018, members of the North American and European Audit Committee Leadership Networks met in London to discuss cyber-breach response and disclosure with two guests: Adam Banks, CIO at Maersk, and Seth Berman, partner at Nutter McClennen & Fish.

This ViewPoints includes background information and synthesizes the perspectives that members shared before and during the meeting on the following topics:  

  • Real-time responses to cyberattacks
    Cyberattacks vary widely, and the effects on an organization are never identical. In 2017, Maersk was the unintended victim of the NotPetya ransomware attack. It was a massive, costly breach that stripped the company of its global systems. Mr. Banks explained to members how the company assessed the damage, executed its recovery, and communicated with internal and external stakeholders. As with Maersk, any company that is involved in a cybersecurity crisis faces the challenge of responding quickly, thoroughly, and transparently. 

  • Cyber preparedness and lessons learned 
    After an attack, both victims and observers are wise to assess how the affected companies responded and, as necessary, how they should revise their approach to both cyber-breach planning and broader risk management efforts. A change from prevention-focused thinking to a mindset of detection is critical in today’s cyber-risk environment. Companies’ preparedness should go beyond basic hygiene to include a broader understanding of potential threats to the business. The board can play an important role in providing oversight of the company’s preparedness.